Thursday, July 21, 2016

If
you are a frequent internet user, it is very much likely that you
have used or heard of Proxy Servers. Some of us might also have heard
the terms Forward Proxy Servers and Reverse Proxy Servers. But, what
are they actually ? How do they work ? And, how are they different
from each other ?

Let’s
understand that in details.

What are Proxy
Servers ?

A
Proxy Server is a server that works as an intermediary between a
client requesting for a connection or service and a server that
provides the resources. All requests from the client as well as the responses from the server pass through the Proxy Server providing an
administrative control over the contents being relayed and hiding the
IP address of the host behind the Proxy Server at the same time.

We
will understand this in details.

Types
of Proxy Servers

Depending
on how the Proxy server function, there are three main types of Proxy
Server :

Forward Proxy Server

Reverse Proxy Server

Open Proxy Server

Forward
Proxy Server

A
Forward Proxy Server is a proxy server that provides proxy services
to a group of clients that are mostly part of an internal network.
When one of the clients in the internal network makes a connection
request, the request passes through the Forward Proxy Server. The
Forward Proxy Server looks at the request and decides on whether the
connection should proceed. And, based on that a connection is made to
the requested server providing the resources. The requested server
cannot see the IP address of the requesting client in the internal
network. It will view the connection as coming from the Forward Proxy
Server. The requested server will send a response to the Forward
Proxy Server and the proxy server will then forward the response to
the requesting client inside the internal network.

When
is a Forward Proxy Server used ?

There
are a number of reasons of using a Forward Proxy Server :

A Forward Proxy Server typically works with a firewall. So, it can
control the traffic originating from a client in the internal
network and ensure security of the internal network.

A Forward Proxy Server acts as a single point of access and control
of the clients in the internal network. As it can provide
administrative control over the contents being relayed, it is easier
to enforce security policies using a Forward Proxy Server.

A Forward Proxy Server helps in hiding the IP addresses of the
clients in the internal network providing security to the internal
clients.

Reverse
Proxy Server

When
a group of servers provide resources to external clients, we can use
another type of proxy server called Reverse Proxy Server to ensure
security of the group of servers providing services. In case of a
Reverse Proxy Server, when an external client makes a request to one
of the servers in the internal network, the request passes through
the Reverse Proxy Server. If the connection should be allowed, the
internal server sends the response through the Reverse Proxy Server.
The external client cannot see the IP address of the internal server.
It would view the connection as coming from the Reverse Proxy
Server. So, while a Forward Proxy Server hides the IP addresses of
the internal clients requesting for services, a Reverse Proxy Server
helps in hiding the IP addresses of the internal servers providing
services.

When
is a Reverse Proxy Server used ?

There
are a number of reasons for using a Reverse Proxy Server :

As a Reverse Proxy Server hides the IP addresses of the internal
servers, it creates much inconvenience for the attackers to make an
attack to the internal servers for the purpose of stealing data or
making even more attacks.

A Reverse Proxy Server also works along with a firewall. As it works
as a single point of access and control to the internal servers, it
can have administrative control over the contents being relayed and
enforce security to the internal servers.

A Reverse Proxy Server can also act as a load balancer to the group
of internal servers behind it. When a Reverse Proxy Server receives
a large volume of incoming requests, it can perform load balancing
and distribute the incoming traffic to the cluster of servers that
provide same kind of service. For example, a Reverse Proxy Server
can perform load balancing for a cluster of FTP servers behind it.

If more than one servers in the internal network provides SSL
encryption, a Reverse Proxy Server can be used to do the SSL
encryption using SSL acceleration hardware. The internal servers can
use a single SSL proxy to provide SSL encryption, thus eliminating
the need of using separate SSL certificates for the internal
servers.

A Reverse Proxy server can cache static contents of the internal web
servers behind it and thus reducing the load to the web servers.

A Reverse Proxy Server can also provide optimization and compression
of contents to reduce the load time of the service.

If the requesting external clients are very slow, a Reverse Proxy
Server can cache the contents from the internal servers behind it
and slowly feed them to the slow external clients.

So,
to summarize, for a Forward Proxy Server, connection requests come
from a group of internal clients behind the proxy server and passes
through the prxy server hiding the IP address of the requesting
internal client. And, for a Reverse Proxy Server, connection requests
come from external clients to a group of internal servers behind the
proxy server and the connections pass through the proxy server hiding
the IP addresses of the internal servers.

Open
Proxy Server

An
Open Proxy Server is a proxy server that is accessible by any
internet user. If an internet user uses an Open Proxy Server, all the
connection requests as well as the responses will pass through the
Open Proxy Server, hiding the IP address of the internet user. So,
using an Open Proxy Server a user can hide his IP address against the
requested web servers or internet content providers.

Why
to use an Open Proxy Server ?

An
Open Proxy Server can help the user in hiding his IP address against
the requested internet content provider servers. But, please note
that anonymity or extensive internet security might not be achieved
by using an Open Proxy Server alone.

Proxy
vs NAT

The
main difference between a proxy and a NAT lies in the layers in the
OSI Reference Model in which they operate. A proxy works mostly in
layer 7 of the OSI Reference Model. And, a NAT works in layer 3. As
they operate in two different layers in the OSI Reference Model,
their configuration also differs.

For
NAT, configuring the gateway is sufficient. But, for a proxy, the
destination of each packet that the requesting client generates must
be changed to the proxy server, so one has to take care of that.

So,
this article gives an overview of how proxy works. Hope it helped.

Thursday, July 7, 2016

Encryption technology like DSA, RSA etc use public key cryptography.
Every user gets his own public-private keypair using which anyone can
start encrypted communication with the user. But, there is a major
drawback in these technologies. They mostly depend on public key
distribution infrastructure. Every user gets his keypair from a
trusted Certificate Authority. And, anyone who wants to start an
encrypted communication, has to obtain the public key certificate
from the user and verify it with the Certificate Authority before the
encrypted communication starts. This process is time consuming,
error-prone and causes much inconvenience at times. Identity Based
Encryption or IBE is an encryption technology which is
developed to reduce these barriers up to a great extent and yet
provide secure communications.

Identity Based Encryption or IBE is a type of public key encryption,
in which the public key of a user is some unique information based on
the identity of the user, such as an email address. Anyone who wants
to send an encrypted message to the user, can encrypt it with the
text value of the identity based public key, such as the text value
of an email address, and send it across. The user can decrypt the
message using the private key associated with the identity based
public key.

How does Identity Based Encryption work ?

IBE works in the following way :

A trusted third party called Private Key Generator or PKG first
generates his own public-private keypair. It published its public
key, called Master Public Key and keeps the private key, called
Master Private Key or Master key secret to itself.

A user who wants to generate a IBE keypair, first obtains the public
key of the PKG. The user then combines his identity value, such as
his email address, with the Master Public Key and generates the
actual public key.

The user then contacts the PKG with the public key. The PKG combines
the user’s public key along with its own Master Private Key to
generate the private key of the user.

Anyone who wants to send an encrypted message to the user can
encrypt it with the identity based public key, for example his email
address. The user can decrypt it using his private key obtained from
the PKG.

Can a user expire his Identity Based Encryption Keys?

Technically, one user can expire his IBE keys.

Suppose, a user named Bob wants to expire his IBE keys every year and
he wants to use his email address bob@example.com
for that purpose. To do that, Bob can append the current year with
his email address, i.e. he can use ‘ bob@example.com
| <current year> ‘ as the identity based public key, based
upon which the PKG will generate his private key. The private key
will be valid for that current year only. After the end of the year,
Bob can again change the value of the current year in the identity
based public key and obtain the corresponding new private key from
the PKG.

Please note that, even if Bob changes his private
key, a sender who wants to send encrypted message to Bob need not
worry much. He will just change the value of the current year in the
identity based public key, here ‘bob@example.com
| <current year>’ and encrypt the message with that. Once a
user gets his private key from the PKG, neither the user nor the
sender need to communicate with the PKG further. And, this is one of
the most significant advantages that IBE has.

What if a user’s Identity Based Encryption Keys are lost or
stolen ?

Well, this problem also can be handled.

A user can append the current date instead of the current year with
his identity, for example email address, to obtain his identity based
public key and corresponding private key, as described above.

Now, suppose the user stores his private keys in his laptop and the
laptop gets lost for three days. In that case, the private keys
corresponding to those three days only will be compromised. The
fourth day onwards, he can keep obtaining his new private keys from
the PKG as usual and continue with normal operations.

Advantages of Identity Based Encryption

IBE has several advantages :

If a user Alice wants to send an encrypted message to Bob, who has
an email address bob@example.com,
she does not need to obtain Bob’s public key certificate or verify
it with any Certificate Authority. She can just encrypt the message
using the text value of Bob’s email address bob@example.com
and send it across. It is much more simple, convenient and less time
consuming than any public key encryption technology based on Public
Key Infrastructure.

IBE eliminates the need of Public Key Infrastructure. Authenticity
of the public key is implicit as an identity based value is used for
that purpose.

As IBE eliminates the need of certificates, it removes the hurdles
of PKI, certificate lookup, key life cycle management, certificate
revocation or cross-certification issues. It makes the security
system much more dynamic, lightweight and scalable.

An organization can maintain its own PKG very efficiently. It can
issue a private key to every employee based on his corporate email
address. And, when an employee leaves the organization, it can
simply instruct the PKG not to generate any private keys for that
user anymore.

IBE can be efficiently used in some complex use case scenarios also.
For example, suppose an employee has several assistants like
purchasing, HR etc, who can read a number of emails if they fall
within their responsibilities. In that case, a user can send the
encrypted emails using the employee’s email address as well as a
subject line indicating the appropriate assistant who would read the
email. The PKG can generate a separate private key for each
assistant based on the employee’s email address appended with the
appropriate assistant and distribute it. As a result, an assistant
can read the emails which fall within his responsibility, but not
those of the others. And, it will be convenient for the sender also.

Drawbacks of Identity Based Encryption

IBE has a couple of drawbacks. The major ones are given below :

If a PKG gets compromised, the messages protected by the Master
Private Key will also be compromised.

A PKG generates private keys of all the users using its own Master
Private Key. So, technically it can sign or decrypt any message of
its users without authorization. But as said earlier, an
organization can have its own PKG and trust its administrators to
counter this problem.

This was just an introductory article on Identity Based Encryption to
give some basic information. Hope you liked it.